design summit - security roadmap - keenan brock, alberto bellotti
DESCRIPTION
This presentation is about how ManageIQ helps with enterprise security. For example, ManageIQ allows admins to design policies that recognize and decommission resources that are vulnerable to specific security exploits. On the roadmap is the ability to integrate with other security tools. For more on ManageIQ, see http://manageiq.org/TRANSCRIPT
Security: Trusting Identities
IntroductionsAlberto Bellottigithub: abellotti
Keenan Brockgithub: kbrocktwitter: @kbrock
Overview
● Definition● Mechanics● Components of the system● Goals● Demo● Future
Definition: Identity and Trust
● Authentication○ What is your identity?
● Authorization○ What do I trust you to do?
● Auditing○ What did you actually do?
Goals: Identity and Trust
● Fewer copies● Simpler definitions● Leverage existing definitions
○ identity stores○ trust profiles
Goals: Desired Results
● Simplify appliance configuration● Simplify access for users (SSO)● More secure system
Accessing Auth* sources
PostgresVmdb
Amazon
ReST
IdM/LdapKerberos LDAP
Apache
sssd/pamkerberos
UI/WS Workers
LdapLDAP
AD
ApplianceConsole
/etc/passwdTerminal
Aws Client
KDC
Appliance
IdM
Mechanics?
● Client○ Provides identity
● Server○ Has a copy of identity○ Fetch stored identity○ grant trust
What is a Client and Server
a system or component that calls another
● User● Computer● Component
Mechanics: Client’s Identity
● Password● Kerberos ticket (keytab)● IP Address● Client side certificates*● Saml (SSO)*
* future
Mechanics - Copy of Identity
● plaintext● md5● aes - symmetric cipher (v2_key)● id_rsa.pub
Goal: protect the identity
Mechanics - Fetch Identity
● Postgres table (e.g.: pg_shadow, users)● host based (firewall)● Filesystem (e.g.: /etc/passwd)● LDAP (AD, IdM)● Kerberos (IdM)*● Amazon (IAM)● Certificate Authority** generated remotely, stored locally
Accessing Auth* sources
PostgresVmdb
Amazon
ReST
IdM/LdapKerberos LDAP
Apache
sssd/pamkerberos
UI/WS Workers
LdapLDAP
AD
ApplianceConsole
/etc/passwdTerminal
Aws Client
KDC
Appliance
IdM
Mechanics - Grant Trust
● same password or md5● correct ip / user● ticket has correct origin
IdM/Kerberos SSO Demo
● External Authentication● Web-UI Login● ReST API access● Web-UI SSO Login
All using IPA credentials
Going forward
● Tighter Authorization of components● Moving LDAP/AD configuration to
console/Apache● Leveraging Apache/IdM
○ AD○ SAML○ 2-Factor Authentication